Announcements

Posting Problems:
Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval:
Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list.
Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain.
Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you.
Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated.
After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.
Topic Guidelines
Including the following information can expedite an accurate response from board members:
Must be a Specific Problem or Question related to web design and development
Include Code in Question (wrap with
for small blocks of code and for longer blocks
) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible
Content Guidelines
You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes:
No direct or indirect advertising or websites, forums, products, services
No hijacking of posts (do not post your question in someone elses)
Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks)
Abusive, threatening, defamatory, racist, or obscene
Viruses or any other harmful computer software
False Information or libel
Spam, chain letters, or Pyramid schemes
Gambling or Illicit drugs
Terrorism
Hacking or cheating for internet/online games
Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers
Pornography, nudity, or sexual material of any kind
Excessive profanity
Invasive of privacy or impersonation of any person/entity
Hacking materials or information
Posting Tips
There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu.
Use
for small snippets of code Use
for lengthy snippets of code Use
if your snippet is HTML (optional) Use
if your snippet is SQL (optional)
Rules of Conduct
Be nice. There's no need for calling someone stupid if they ask an 'easy' question.
Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum.
Keep your language appropriate for the same reason above.
Do not PM moderators for help on the forum. Post on the topic, or create a new one.
Spam:
Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages:
it. Immediately. Give a clear reason, please, if the advertising is not evident.
DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long.
Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway.
Thank you.
Images in signatures:
After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules:
No animated images AT ALL. No matter the amount of animation.
Maximum image widthxheight: 300x150
Maximum image (file) size: 15kb
Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread.
The same prohibited content goes for images as for posts.
Lastly, use common sense. No lengthy signatures please. Save us some scrolling.
Thank you.
Links in signatures:
Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature:
w3schools links --> allowed
w3.org links --> allowed
browser links --> allowed
html editor links --> allowed
personal sites --> allowed
tutorial sites competing with w3schools --> NOT allowed
sites completely irrelevant to webprogramming and this forum --> NOT allowed
Thanks for understanding, and for taking the time to read this.
~W3Schools Modstaff~

Need help creating a VBSscript.

Recommended Posts

I'm trying to automate the clean-up of hacked websites but unfortunately I have great ideas but not enough knowledge to create the solution that i have written down.

I want to create a script which will search the following code <?php*.*PCT4BA6ODSE*.*?> within all .php files of a folder including sub folders. In this code the symbol *.* can be really anything for example;

Link to post

Share on other sites

Why do you want to do that in VBScript of all languages?You're going to have a fairly difficult time trying to programmatically identify the correct PHP code to remove. In your example above, you're only going to find and remove that one piece of code. It might be better to search for "eval" instead, since the vast majority of malicious PHP scripts will use it. Instead of trying to automatically remove malicious code, which is difficult to actually determine, you might want your program to just list all of the files that contain eval so that each one can be inspected to see if it's actually malicious and, if so, which code should be removed.

Share this post

Link to post

Share on other sites

I know how to determine and find all the malicious code within all the files of a domain however, I get about eight different hacked domains daily so i need something to speed up the process.

Which language do you recommend i use to find the code as explained above? And could you point me into the right direction to identify the start (<?php), content (PCT4BA6ODSE) and end (?>) of the malicious code?

Link to post

Share on other sites

I get about eight different hacked domains daily so i need something to speed up the process.

What you really need to do is figure out how they are gaining access to write code into the files and close those holes, rather than patching the symptoms. That's definitely easier said than done though. If you're running Wordpress sites, then the first thing to look at is making sure that Wordpress and all plugins and themes are updated. If those things aren't getting updated regularly then attacks like this are a matter of time. The code you showed above will let an attacker execute any PHP code they want on your server, which is a major problem.

Which language do you recommend i use to find the code as explained above?

I guess it depends on the platform. If you have Windows servers then maybe you can compile a VB application and run that. If it's a Linux server, other options would include Perl or Python or you could even do this with PHP. I'm betting that the vulnerabilities are in PHP scripts, so the PHP code would have the same level of access to edit the various files.

And could you point me into the right direction to identify the start (<?php), content (PCT4BA6ODSE) and end (?>) of the malicious code?

I suppose that regular expressions would be the best way to go. The regular expression pattern might look like this, although I haven't tested it: